Mobile app version of vmapp.org
Login or Join
Murray155

: Firefox accusing me of distributing malware on my site I noticed that Firefox has decided to block some EXE installers from my site, showing a label Blocked: May contain virus or spyware. I

@Murray155

Posted in: #Firefox #GoogleChrome #Malware

I noticed that Firefox has decided to block some EXE installers from my site, showing a label Blocked: May contain virus or spyware. I right-click the file, select Unblock, and this message is shown with the Unblock Anyway and Keep me Safe options:


The file contains a virus or other malware that will harm your
computer. You can search for an alternate download source or continue anyway.


Notice that the dialog does not say may; it says will harm your computer.

On what basis is this warning being shown?

No one knows for sure which provider Chrome and Firefox are using for their extensive list of false positives. Some say that the site stopbadware.org is responsible, but I'm not so sure.

Please advise on how to proceed to restore what's left of my sites and software reputation in an immediately effective way, before it's too late.
Thank you.

For those asking about the site and software, it's this: www.andreszsogon.com/grf-wizard/
The software is mine. It's a simple GUI for a command line tool; I developed it with VB6, compressed the app's EXE with UPX compressor, built the installer with Inno Setup, then uploaded it via FTP. I invite you to install it, test it and scan it all you want.

10.06% popularity Vote Up Vote Down


Login to follow query

More posts by @Murray155

6 Comments

Sorted by latest first Latest Oldest Best

 

@Jennifer507

I run a 20 year old software enthusiast website, and I also run into your issues. This is a site that had its heyday at around year 2000 and now functions as an archive. Around 3 times every year, Google Safe Browsing identifies a new piece of "malware", usually written and uploaded around 1999 to 2002. Never mind that its always been there. Never mind that nobody has touched it for over a decade. Scanning this file with virustotal inevitably shows that there is a virus, but it's never by the popular virus softwares like Symantec or others, always the ones you've never even heard of - once, one of its virus scanners even showed there is a virus on a 530 byte text file.

So what's the solution? Given that Google Safe Browsing is the judge, jury and executioner, you have 3 options:


Delete the file and do something else with your life (recommended for sanity)
Radically change the contents of the file (usually, if after changes virustotal doesn't pick it up, you're good to go)
Put the file download behind a login


Personally, I wouldn't care for it much, I just find it sad when I have to delete a piece of software that can't really be found anywhere else.

10% popularity Vote Up Vote Down


 

@LarsenBagley505

...compressed the app's EXE with UPX compressor...


Back in the day (~10 years ago) UPX was commonly used by viruses to make them more difficult to reverse-engineer. In fact, it became so common that many anti-viruses now consider any UPX-packed program a threat by default. This is almost certainly your issue.

You really only have two options:


Use VirusTotal to determine which sites believe your software is malware, and submit your program to those companies as a false-positive.
Use a different method to compress your software. A good alternative is self-extracting executables, which should do nearly as good a job at compressing your software, without the suspicious obfuscation.

10% popularity Vote Up Vote Down


 

@Murray432

I've had to discontinue use of UPX with my own software because many virus scanners consider packer use to be de facto evidence of wrongdoing. You might try posting an unpacked version of your download and see if the warning goes away.

10% popularity Vote Up Vote Down


 

@Yeniel560

I did a view source on the page you linked, and well, that raises a question: Was it you that added the following script tag to your site? Or did someone manage to sneak that into your wordpress?

<script type='text/javascript' src='http://www.andreszsogon.com/wp-content/themes/contango/lib/js/superfish/superfish-combine.min.js?ver=1.5.9'></script>


As I would rather strongly suspect that including anything from superfish would get you blocked by Google's Safe Search database. It nearly goes without saying that superfish has a very bad reputation. After all, look at what happened to Lenovo for including superfish software on their notebooks toward the end of last year. They took a HUGE PR hit.

Also, as AV software very often cannot/will not find many if any at all files containing malicious php. I would strongly advise manually (well with windows find or *nix grep whichever the case may be for the platform your site is running on) searching through your entire wordpress installation for files that don't belong and ESPECIALLY any files that contain php code that have eval() and/or base64_decode() in them, especially nested! If you find any that are not obviously part of the system and expected, then you should immediately start a new installation of wordpress and move your wp-content directory over into it, provided that there are not any bad files in there as well. In which case, you would be best off starting the site over from scratch. Fortunately that is pretty easy with a wordpress site.

10% popularity Vote Up Vote Down


 

@Angela700

Before getting too caught up in your anger against Firefox and Google Safe Browsing, the first step is to figure out whether Google Safe Browsing is right. It's not uncommon for sites to distribute executables that contain malware or viruses, without realizing they're doing it. Often, Google Safe Browsing is right and the site maintainers just weren't aware of the situation -- sometimes their site was hacked, or sometimes someone uploaded some files that are virus-infected without realizing it.

So, start by taking a close look at your site to see if any of your downloads are possibly problematic. You can start by perusing the Webmaster Help from stopbadware.org and Google's Webmasters help for hacked sites. Then, there are a few general steps you should be taking:


Check whether there's any malware on your site. You need to scan your site carefully to check whether any of the file downloads are dangerous or contain viruses/malware. You can start by using Google Webmaster Tools to check what bad files Google detected. You should also look at the detailed diagnostic page from Google Safe Browsing and look closely at the specific pages and files listed there. You can view the diagnostic page here to see which pages specifically triggered the listing. I also suggest that you upload each of the EXE's you make available on your site to VirusTotal and check them for viruses.
Check whether your site has any security holes or has been hacked. Often, what happens is that hackers find a site that has some security holes, compromise the site, and modify it to insert malware onto the site. The first the site administrators learn of this is when they get listed on Google Safe Browsing. So, you should check carefully whether this has happened to you. Here are a few free services that will scan your website for you:


Sucuri site scan
SparkTrust site scan
Redleg site scan
Unmask Parasites site scan


If you find security weaknesses, take your site offline and fix them. If you find that your site has been compromised, it's likely that you'll need to wipe the site and reload everything from a known-good backup. See www.stopbadware.org/hacked-sites-resources for more resources.
Protect your site against hacking. I suggest you review your site security and make sure it is well-protected against hacking, to prevent someone from breaking in and modifying it to serve malware. See, e.g., www.stopbadware.org/prevent-badware-basics for some background. Also make sure that your site software is fully updated.




When I use these tools, here is what I find:


Sucuri says you are running an outdated version of WordPress (pre-4.2). It looks like you are running Wordpress 3.8.1; 4.2.2 is the current version. This makes it likely that your site is vulnerable and can be compromised: there are multiple known vulnerabilities in Wordpress 3.8.1. You should make sure to always run up-to-date versions of software. When you fail to keep up-to-date, it creates an opportunity for attackers to compromise your site and use it to host malware. So, upgrade WordPress.
Google Safe Browsing says that your site was hosting malware when Google visited on 2015-05-10: "1 page(s) resulted in malicious software being downloaded and installed without user consent". Apparently no malware was found on the latest visit, 2015-05-25, so it sounds like at some point in the past, your site was hosting malware, but it isn't any longer.

It's not clear what the problematic page was. The report for andreszsogon.com/grf-wizard says there were no malicious pages found under /grf-wizard. So, you can infer that the problematic page must have been some other page under andreszsogon.com -- but it wasn't anything under /grf-wizard. I tried playing around with Google Safe Browsing's online interface, but I wasn't able to narrow down which page caused your site to be listed in their system.

10% popularity Vote Up Vote Down


 

@Odierno851

Source Recently started to delete downloads claiming 'virus or spyware'.


"Last two days, some of the download have been started to be deleted by saying that 'Blocked: may contain virus or spyware' error message, at download window."


...


Firefox uses data from Google's "Safe Browsing" project to assess the
reputation of websites and downloads. Every so often Google changes
the data it supplies, for example, it may be flagging potentially
unwanted programs in addition to actual malware.

For the future, the developers are considering an option to override
the block and get the file anyway. It probably will be at least a few
months before that appears because security-sensitive changes take
time to design.

For now, if you think these file blocks are "false positives" and that
the files actually are safe, you could do one of the following:

(1) Download the file using a different browser (yikes)

(2) Download the file using a downloader add-on that bypasses this
security check. I heard about this in another thread but haven't tried
it myself (and also, I don't know which add-ons to trust for this!).

(3) Disable the Safe Browsing feature temporarily to get the file,
then turn it back on. There is a checkbox in the Options dialog:

"3-bar" menu button (or Tools menu) > Options > Advanced

On the Security tab, it's the "Block reported attack sites" checkbox.
The other checkbox relates to phishing sites and I don't think it
affects downloads.




Source How does built-in Phishing and Malware Protection work?


Firefox contains built-in Phishing and Malware Protection to help keep you safe online. These features will warn you when a page you visit has been reported as a Web Forgery of a legitimate site (sometimes called “phishing” pages) or as an Attack Site designed to harm your computer (otherwise known as malware). This feature also warns you if you download files that are detected as malware.


...


"I’ve confirmed that my site is safe, how do I get it removed from the lists?"

If you own a site that was attacked and you have since repaired it, or
if you feel that your site was reported in error, you can request that
it be removed from the lists. We encourage site owners to investigate
any such report thoroughly, though; a site can often be turned into an
attack site without any visible change.


To request removal from the list of reported phishing sites, use this form provided by Google.
To request removal from the list of reported malware sites, use this one, provided by stopbadware.org.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme